Separate Microsoft tenants confused logins; cross?tenant Microsoft Entra ID and Exchange Online migration aligned access

Overview

During a merger, an acquired startup kept a separate identity tenant and email, which led to duplicate accounts, confusing login prompts, and inconsistent device and access policies. Intelligex orchestrated a staged migration of domains and mailboxes, consolidated identities into the parent’s Microsoft Entra ID tenant, and enrolled devices into the parent’s management stack with clear communications and approvals. Cutovers ran in waves under change control, guest access and aliases were preserved where needed, and helpdesk saw fewer login issues as directories and access policies aligned—while both organizations’ tools remained in place throughout the transition.

Client Profile

• Industry: Technology and services
• Company size (range): Established enterprise acquiring a cloud?first startup
• Stage: Separate Microsoft 365 tenants; Microsoft Entra ID for identity; Exchange Online for mail; Intune used by parent for device management; mixed device posture and Conditional Access across the two environments
• Department owner: IT & Infrastructure (Identity, Messaging, and Endpoint Management)
• Other stakeholders: Security and Privacy, HR, Legal, Corporate Communications, Departmental IT at the startup, Helpdesk, Procurement, Internal Audit, Change Management

The Challenge

The startup operated in its own tenant with its own domains, accounts, and policies. Employees now had two sets of credentials, and guest links bridged day?to?day collaboration. Calendars did not fully interoperate, distribution lists diverged, and mobile clients prompted for different tenants depending on the workflow. Devices enrolled in different management tools followed different Conditional Access rules, so support fielded frequent login, enrollment, and mailbox questions.

Mail routing and branding added complexity. The parent wanted customer?facing mail to originate from the parent’s domain, while preserving the startup’s aliases during the transition. Forwarding rules and guest invites created loops, and shared mailboxes lived in different directories. The teams needed a predictable path to move identities, mail, and devices without breaking access or losing history, and they needed approvals and communications that kept the organization informed and aligned.

Why It Was Happening

The two tenant model worked before the acquisition, but it left systems without a shared source of truth for identity, groups, and policies. Each tenant enforced its own MFA and Conditional Access, so outcomes differed by app and device. Mailboxes and domains were tied to the startup’s tenant, and device enrollment pointed to different compliance baselines. Without a single plan for directory reconciliation, mailbox moves, and device re?enrollment, everyday issues surfaced as people crossed tenant boundaries.

Ownership was split. Messaging, identity, and endpoint teams each had a part of the picture, while Legal, HR, and Communications needed to control timing and messaging. There was no end?to?end workflow that bound discovery, approvals, cutovers, and rollback into one path with evidence.

The Solution

Intelligex implemented a staged consolidation that aligned identity, mail, and device management under the parent’s Microsoft Entra ID and Microsoft 365 tenant. Identity mapping and cross?tenant synchronization established a clean target directory; domains were prepared and migrated in controlled windows; Exchange Online mailboxes moved with minimal downtime; and devices were enrolled into Intune with co?existence where needed. Conditional Access and MFA policies were harmonized gradually. The approach used Microsoft guidance for cross?tenant identity and mailbox moves (Microsoft Entra cross?tenant synchronization, Cross?tenant mailbox migration), device enrollment in Microsoft Intune, and policy gating via Conditional Access, with change control and communication handled in the existing ITSM (for example, ServiceNow).

• Identity reconciliation: Source?to?target mapping for users, groups, and roles; cross?tenant synchronization to create shadow objects; attribute normalization for UPN and primary SMTP address formats; conflict resolution and reviews.
• Domain migration: Staged removal of domains from the startup tenant and addition to the parent; alias preservation plans; mail flow and DNS changes scheduled under change windows with rollback steps.
• Mailbox moves: Exchange Online cross?tenant migration with pre?staging, testing, and cutover batches; shared mailbox and resource mapping; send?as and permissions re?established in the target tenant.
• Device enrollment: Co?existence and staged onboarding into Intune; compliance baselines applied gradually; Autopilot or re?provisioning for edge cases; mobile re?registration guidance delivered in advance.
• Policy and access: Conditional Access and MFA harmonized by cohort; app assignments validated post?move; guest access converted to member access where appropriate.
• Collaboration and files: Aliases and forwarding during transition; team sites and shared resources mapped with owners; calendars and resource booking patterns communicated with workarounds during coexistence.
• Approvals and communications: CAB?gated waves with sign?offs from Security, HR, Legal, and Comms; targeted messages and runbooks by audience; cutover status and helpdesk playbooks prepared.
• Dashboards and evidence: Pre?flight checks, batch progress, error queues, and post?cutover validation; audit exports tying approvals, batches, and outcomes.

Implementation

• Discovery: Cataloged users, groups, mailboxes, shared resources, and domains in both tenants; inventoried devices and enrollment states; captured Conditional Access and MFA policies; reviewed legal and branding requirements; gathered change windows and communications expectations.
• Design: Authored identity mapping rules and UPN/SMTP standards; planned domain cutovers and DNS steps; defined mailbox batch criteria and priorities; selected device co?existence and re?enrollment paths; mapped policy harmonization by cohort; designed dashboards, rollback plans, and helpdesk scripts.
• Build: Configured cross?tenant sync for target objects; prepared Exchange Online migration endpoints and test moves; validated domain readiness and records; set up Intune enrollment and compliance baselines; created Conditional Access templates; integrated ITSM for approvals, schedules, and status tracking.
• Testing/QA: Piloted identity, mailbox, and device moves with a small cohort; validated mail flow, calendar access, and group permissions; tested mobile re?registration and device compliance; rehearsed domain cutover and rollback in a lab; tuned mappings and communications based on feedback.
• Rollout: Ran waves by function and location; pre?staged mailbox content and switched primary addresses during windows; enrolled devices in cohorts; applied Conditional Access templates progressively; retained coexistence and guest access as a controlled fallback until stability proved out.
• Training/hand?off: Delivered guides for end users on login changes, Outlook profile updates, and mobile re?registration; briefed helpdesk on known issues and scripts; updated SOPs for account creation, group management, and device onboarding; transferred ownership of mappings, templates, and dashboards to Identity, Messaging, and Endpoint teams under change control.
• Human?in?the?loop review: Stood up daily cutover reviews to clear error queues, address edge cases, and refine runbooks; recorded decisions with rationale and effective dates; fed lessons learned into subsequent waves.

Results

Identity and mail moved from a patchwork of guest access and duplicate accounts to a single, governed tenant. People signed in with one identity, aliases and groups resolved consistently, and helpdesk could see the same directory and device posture for each user. Mailboxes moved with history intact, and customer?facing mail used the right domain without manual forwarding.

Operations stabilized. Devices followed one management baseline with clear compliance signals, Conditional Access applied evenly, and onboarding and offboarding followed a single set of SOPs. Leadership saw clean directories and unified access policies, and audit trails tied each wave to approvals and outcomes. Core platforms stayed; the new layer was an orchestrated plan with staged cutovers, communication gates, and rollback mechanics.

What Changed for the Team

• Before: Two tenants, guest links, and duplicate identities. After: One identity per person in the parent tenant with mapped groups and roles.
• Before: Mailboxes and aliases split across tenants. After: Mailboxes moved, aliases preserved, and outbound mail branded correctly.
• Before: Mixed device enrollment and policy drift. After: Devices enrolled in one MDM with shared compliance baselines.
• Before: Conditional Access varied by tenant. After: Policies harmonized and applied by cohort with documented exceptions.
• Before: Cutovers relied on ad hoc coordination. After: Waves ran under CAB with status dashboards and rollback plans.
• Before: Helpdesk chased tenant and device context. After: One directory and device view guided support and reduced login issues.

Key Takeaways

• Decouple identity from mail first; reconcile accounts and group ownership before moving mailboxes and domains.
• Use cross?tenant features; follow supported patterns for identity sync and mailbox moves to reduce surprises.
• Stage everything; pilot, then run waves with clear rollback and helpdesk scripts.
• Preserve the user story; keep aliases and shared resources working during transition with documented workarounds.
• Harmonize policies gradually; apply Conditional Access and MFA by cohort with approvals.
• Integrate, don’t replace; keep tenants and tools stable while adding orchestration, governance, and communications.

FAQ

What tools did this integrate with? Identity and access consolidated in Microsoft Entra ID with cross?tenant synchronization (Entra cross?tenant synchronization). Mailboxes moved using Exchange Online cross?tenant migration (Cross?tenant mailbox migration). Devices enrolled into Microsoft Intune, and access policies were aligned with Conditional Access. Change control and communications ran through the existing ITSM (for example, ServiceNow).

How did you handle quality control and governance? Every wave required CAB approval with artifacts for identity mapping, mailbox batches, domain changes, and rollback steps. Cross?tenant sync ran in monitor mode first, and mailbox test moves validated throughput and permissions. Conditional Access and compliance baselines were versioned with owners and rationale. Dashboards tracked progress and errors, and decisions were recorded with effective dates.

How did you roll this out without disruption? The program piloted with a small cohort to validate sign?in flows, mail flow, and device re?registration. Mailbox content was pre?staged, and primary address switches happened during approved windows. Guest access and forwarding acted as interim bridges. Helpdesk received runbooks and message templates ahead of each wave, and the prior path remained available as a controlled fallback until stability was confirmed.

How did you move mailboxes and manage domains? Domains were prepared by clearing dependencies in the source tenant, then added to the target after verification. Mailboxes moved using cross?tenant migration with batches grouped by department and priority. Aliases were preserved, send?as and permissions were re?created in the target, and mail flow and DNS changes were executed under change windows with a tested rollback.

How were devices handled? Devices enrolled into Intune in cohorts. Where co?existence was possible, devices were brought under management without re?image. Edge cases used Autopilot or guided re?provisioning. Mobile devices received re?registration instructions and support clinic times. Compliance and Conditional Access applied progressively to avoid surprise lockouts.

What about MFA prompts and app access? MFA and Conditional Access were harmonized by cohort, and app assignments were validated post?move. Known prompt storms were mitigated by communications, token reset guidance, and staged policy application. Exceptions for critical apps followed a maker?checker path with expirations.

How did you communicate to end users? Communications were tailored by audience with clear timelines, what to expect, and quick steps for Outlook profiles and mobile re?registration. Corporate Communications and HR approved messages, and a support channel handled day?of issues. Post?cutover surveys and helpdesk feedback informed subsequent waves.